Skip to content

feat: add cloud_healthcare policies, inputs and documentation#396

Open
abhay652 wants to merge 1 commit into
devfrom
gcp/service/cloud_healthcare
Open

feat: add cloud_healthcare policies, inputs and documentation#396
abhay652 wants to merge 1 commit into
devfrom
gcp/service/cloud_healthcare

Conversation

@abhay652
Copy link
Copy Markdown

@abhay652 abhay652 commented May 12, 2026

No description provided.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 12, 2026

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_workspace.labels.message
Total Healthcare Workspace detected: 2 
["Situation 1: Healthcare Workspace 'environment' label is missing or not an approved value", 'Non-Compliant Resources: nc', "Potential Remedies: Set the 'environment' label to one of: dev, test, staging, prod"]
["Situation 2: Healthcare Workspace 'owner' label is missing or empty", 'Non-Compliant Resources: nc', "Potential Remedies: Set the 'owner' label to identify the team responsible for this resource"]
Unique resource names in plan (google_healthcare_workspace): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_dataset_iam.member.message
Total Healthcare Dataset IAM detected: 2 
['Situation 1: Dataset IAM member must not be allUsers or allAuthenticatedUsers — exposes all stores (FHIR, DICOM, HL7v2, Consent) to public access', 'Non-Compliant Resources: nc', "Potential Remedies: Replace 'allUsers' or 'allAuthenticatedUsers' with a specific service account, user, or group, Example: serviceAccount:my-sa@my-project.iam.gserviceaccount.com"]
Unique resource names in plan (google_healthcare_dataset_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_dataset_iam.role.message
Total Healthcare Dataset IAM detected: 2 
['Situation 1: Dataset IAM role must not be a primitive role — grants overly broad access across ALL stores in the dataset', 'Non-Compliant Resources: nc', 'Potential Remedies: Replace primitive roles with a specific healthcare dataset role, Approved roles: roles/healthcare.datasetViewer, roles/healthcare.datasetAdmin']
Unique resource names in plan (google_healthcare_dataset_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_consent_store_iam.member.message
Total Healthcare Consent Store IAM detected: 2 
['Situation 1: Consent Store IAM member must not be allUsers or allAuthenticatedUsers — grants public access to PHI', 'Non-Compliant Resources: nc', "Potential Remedies: Replace 'allUsers' or 'allAuthenticatedUsers' with a specific service account, user, or group, Example: serviceAccount:my-sa@my-project.iam.gserviceaccount.com"]
Unique resource names in plan (google_healthcare_consent_store_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_consent_store_iam.role.message
Total Healthcare Consent Store IAM detected: 2 
['Situation 1: Consent Store IAM role must not be a primitive role — violates least privilege for PHI access', 'Non-Compliant Resources: nc', 'Potential Remedies: Replace primitive roles with a specific healthcare role, Approved roles: roles/healthcare.consentStoreViewer, roles/healthcare.consentStoreEditor, roles/healthcare.consentStoreAdmin']
Unique resource names in plan (google_healthcare_consent_store_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_dataset.location.message
Total Healthcare Dataset detected: 2 
['Situation 1: Healthcare Dataset is not deployed in an approved location — PHI data residency requirement violated', 'Non-Compliant Resources: nc', 'Potential Remedies: Set location to one of the approved regions: us-central1, us-east1, us-east4, australia-southeast1, australia-southeast2']
Unique resource names in plan (google_healthcare_dataset): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_dataset.encryption_spec.message
Total Healthcare Dataset detected: 2 
['Situation 1: Healthcare Dataset does not have CMEK encryption configured — uses Google-managed keys only', 'Non-Compliant Resources: nc', 'Potential Remedies: Add an encryption_spec block with a valid KMS key name, Example: encryption_spec { kms_key_name = "projects/PROJECT/locations/REGION/keyRings/RING/cryptoKeys/KEY" }']
Unique resource names in plan (google_healthcare_dataset): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_fhir_store_iam.member.message
Total Healthcare FHIR Store IAM detected: 2 
['Situation 1: FHIR Store IAM member must not be allUsers or allAuthenticatedUsers — grants public access to patient health records', 'Non-Compliant Resources: nc', "Potential Remedies: Replace 'allUsers' or 'allAuthenticatedUsers' with a specific service account, user, or group, Example: serviceAccount:my-sa@my-project.iam.gserviceaccount.com"]
Unique resource names in plan (google_healthcare_fhir_store_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_fhir_store_iam.role.message
Total Healthcare FHIR Store IAM detected: 2 
['Situation 1: FHIR Store IAM role must not be a primitive role — violates least privilege for patient health record access', 'Non-Compliant Resources: nc', 'Potential Remedies: Replace primitive roles with a specific FHIR store role, Approved roles: roles/healthcare.fhirResourceViewer, roles/healthcare.fhirResourceEditor, roles/healthcare.fhirStoreAdmin']
Unique resource names in plan (google_healthcare_fhir_store_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_dicom_store_iam.member.message
Total Healthcare DICOM Store IAM detected: 2 
['Situation 1: DICOM Store IAM member must not be allUsers or allAuthenticatedUsers — grants public access to medical imaging data', 'Non-Compliant Resources: nc', "Potential Remedies: Replace 'allUsers' or 'allAuthenticatedUsers' with a specific service account, user, or group, Example: serviceAccount:my-sa@my-project.iam.gserviceaccount.com"]
Unique resource names in plan (google_healthcare_dicom_store_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_dicom_store_iam.role.message
Total Healthcare DICOM Store IAM detected: 2 
['Situation 1: DICOM Store IAM role must not be a primitive role — violates least privilege for medical imaging data access', 'Non-Compliant Resources: nc', 'Potential Remedies: Replace primitive roles with a specific DICOM store role, Approved roles: roles/healthcare.dicomStoreViewer, roles/healthcare.dicomEditor, roles/healthcare.dicomStoreAdmin']
Unique resource names in plan (google_healthcare_dicom_store_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_fhir_store.version.message
Total Healthcare FHIR Store detected: 2 
['Situation 1: FHIR Store is not using an approved FHIR version — DSTU2 is deprecated and not approved for production', 'Non-Compliant Resources: nc', 'Potential Remedies: Set version to an approved FHIR version: R4 or STU3, Example: version = "R4"']
Unique resource names in plan (google_healthcare_fhir_store): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_fhir_store.disable_resource_versioning.message
Total Healthcare FHIR Store detected: 2 
['Situation 1: FHIR Store has resource versioning disabled — historical versions not retained, breaking audit trail', 'Non-Compliant Resources: nc', 'Potential Remedies: Set disable_resource_versioning to false, This ensures all write operations retain historical versions for audit and compliance']
Unique resource names in plan (google_healthcare_fhir_store): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_fhir_store.labels.message
Total Healthcare FHIR Store detected: 2 
["Situation 1: FHIR Store 'environment' label is missing or not an approved value", 'Non-Compliant Resources: nc', "Potential Remedies: Set the 'environment' label to one of: dev, test, staging, prod"]
["Situation 2: FHIR Store 'owner' label is missing or empty", 'Non-Compliant Resources: nc', "Potential Remedies: Set the 'owner' label to identify the team responsible for this resource"]
Unique resource names in plan (google_healthcare_fhir_store): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_fhir_store.enable_update_create.message
Total Healthcare FHIR Store detected: 2 
['Situation 1: FHIR Store has enable_update_create set to true — allows client-specified IDs that may contain sensitive patient identifiers', 'Non-Compliant Resources: nc', 'Potential Remedies: Set enable_update_create to false, This ensures all IDs are server-assigned, preventing patient identifiers from appearing in audit logs and Pub/Sub notifications']
Unique resource names in plan (google_healthcare_fhir_store): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_dicom_store.notification_config.message
Total Healthcare DICOM Store detected: 2 
['Situation 1: DICOM Store does not have a notification_config Pub/Sub topic configured — medical imaging operations cannot be audited', 'Non-Compliant Resources: nc', 'Potential Remedies: Add a notification_config block with a valid Pub/Sub topic, Example: notification_config { pubsub_topic = "projects/PROJECT/topics/TOPIC" }']
Unique resource names in plan (google_healthcare_dicom_store): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_dicom_store.labels.message
Total Healthcare DICOM Store detected: 2 
["Situation 1: DICOM Store 'environment' label is missing or not an approved value", 'Non-Compliant Resources: nc', "Potential Remedies: Set the 'environment' label to one of: dev, test, staging, prod"]
["Situation 2: DICOM Store 'owner' label is missing or empty", 'Non-Compliant Resources: nc', "Potential Remedies: Set the 'owner' label to identify the team responsible for this resource"]
Unique resource names in plan (google_healthcare_dicom_store): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_pipeline_job.disable_lineage.message
Total Healthcare Pipeline Job detected: 2 
['Situation 1: Healthcare Pipeline Job has lineage tracking disabled — data provenance cannot be audited', 'Non-Compliant Resources: nc', 'Potential Remedies: Set disable_lineage to false, This ensures lineage tracking is enabled, maintaining data provenance for audit and compliance']
Unique resource names in plan (google_healthcare_pipeline_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_pipeline_job.labels.message
Total Healthcare Pipeline Job detected: 2 
["Situation 1: Healthcare Pipeline Job 'environment' label is missing or not an approved value", 'Non-Compliant Resources: nc', "Potential Remedies: Set the 'environment' label to one of: dev, test, staging, prod"]
["Situation 2: Healthcare Pipeline Job 'owner' label is missing or empty", 'Non-Compliant Resources: nc', "Potential Remedies: Set the 'owner' label to identify the team responsible for this resource"]
Unique resource names in plan (google_healthcare_pipeline_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_hl7_v2_store_iam.member.message
Total Healthcare HL7 V2 Store IAM detected: 2 
['Situation 1: HL7 V2 Store IAM member must not be allUsers or allAuthenticatedUsers — grants public access to clinical messaging data', 'Non-Compliant Resources: nc', "Potential Remedies: Replace 'allUsers' or 'allAuthenticatedUsers' with a specific service account, user, or group, Example: serviceAccount:my-sa@my-project.iam.gserviceaccount.com"]
Unique resource names in plan (google_healthcare_hl7_v2_store_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_hl7_v2_store_iam.role.message
Total Healthcare HL7 V2 Store IAM detected: 2 
['Situation 1: HL7 V2 Store IAM role must not be a primitive role — violates least privilege for clinical messaging data access', 'Non-Compliant Resources: nc', 'Potential Remedies: Replace primitive roles with a specific HL7 V2 store role, Approved roles: roles/healthcare.hl7V2StoreViewer, roles/healthcare.hl7V2Ingest, roles/healthcare.hl7V2StoreAdmin']
Unique resource names in plan (google_healthcare_hl7_v2_store_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_consent_store.enable_consent_create_on_update.message
Total Healthcare Consent Store detected: 2 
['Situation 1: Consent store has enable_consent_create_on_update set to true — PATCH becomes upsert breaking audit trail', 'Non-Compliant Resources: nc', 'Potential Remedies: Set enable_consent_create_on_update to false, This ensures PATCH requests only update existing consents, preserving the create/update audit trail']
Unique resource names in plan (google_healthcare_consent_store): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_consent_store.labels.message
Total Healthcare Consent Store detected: 2 
["Situation 1: Consent store 'environment' label is missing or not an approved value", 'Non-Compliant Resources: nc', "Potential Remedies: Set the 'environment' label to one of: dev, test, staging, prod"]
["Situation 2: Consent store 'owner' label is missing or empty", 'Non-Compliant Resources: nc', "Potential Remedies: Set the 'owner' label to identify the team responsible for this resource"]
Unique resource names in plan (google_healthcare_consent_store): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_consent_store.default_consent_ttl.message
Total Healthcare Consent Store detected: 2 
['Situation 1: Consent store does not have a default_consent_ttl configured — consents will never expire', 'Non-Compliant Resources: nc', 'Potential Remedies: Set default_consent_ttl to a duration string of at least 86400s (24 hours), Example: default_consent_ttl = "31536000s" (1 year)']
Unique resource names in plan (google_healthcare_consent_store): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_hl7_v2_store.notification_config.message
Total Healthcare HL7 V2 Store detected: 2 
['Situation 1: HL7 V2 Store does not have a notification_configs Pub/Sub topic configured — store changes cannot be audited', 'Non-Compliant Resources: nc', 'Potential Remedies: Add a notification_configs block with a valid Pub/Sub topic, Example: notification_configs { pubsub_topic = "projects/PROJECT/topics/TOPIC" }']
Unique resource names in plan (google_healthcare_hl7_v2_store): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_hl7_v2_store.reject_duplicate_message.message
Total Healthcare HL7 V2 Store detected: 2 
['Situation 1: HL7 V2 Store does not reject duplicate messages — may cause duplicate clinical events and data integrity issues', 'Non-Compliant Resources: nc', 'Potential Remedies: Set reject_duplicate_message to true, This ensures duplicate HL7 V2 messages are rejected, preventing duplicate clinical events']
Unique resource names in plan (google_healthcare_hl7_v2_store): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_hl7_v2_store.labels.message
Total Healthcare HL7 V2 Store detected: 2 
["Situation 1: HL7 V2 Store 'environment' label is missing or not an approved value", 'Non-Compliant Resources: nc', "Potential Remedies: Set the 'environment' label to one of: dev, test, staging, prod"]
["Situation 2: HL7 V2 Store 'owner' label is missing or empty", 'Non-Compliant Resources: nc', "Potential Remedies: Set the 'owner' label to identify the team responsible for this resource"]
Unique resource names in plan (google_healthcare_hl7_v2_store): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_healthcare
  Resource: google_healthcare_consent_store
    Policy: enable_consent_create_on_update - ✅
    Policy: labels - ✅
    Policy: default_consent_ttl - ✅
  Resource: google_healthcare_consent_store_iam
    Policy: member - ✅
    Policy: role - ✅
  Resource: google_healthcare_dataset
    Policy: location - ✅
    Policy: encryption_spec - ✅
  Resource: google_healthcare_dataset_iam
    Policy: member - ✅
    Policy: role - ✅
  Resource: google_healthcare_dicom_store
    Policy: notification_config - ✅
    Policy: labels - ✅
  Resource: google_healthcare_dicom_store_iam
    Policy: member - ✅
    Policy: role - ✅
  Resource: google_healthcare_fhir_store
    Policy: version - ✅
    Policy: disable_resource_versioning - ✅
    Policy: labels - ✅
    Policy: enable_update_create - ✅
  Resource: google_healthcare_fhir_store_iam
    Policy: member - ✅
    Policy: role - ✅
  Resource: google_healthcare_hl7_v2_store
    Policy: notification_config - ✅
    Policy: reject_duplicate_message - ✅
    Policy: labels - ✅
  Resource: google_healthcare_hl7_v2_store_iam
    Policy: member - ✅
    Policy: role - ✅
  Resource: google_healthcare_pipeline_job
    Policy: disable_lineage - ✅
    Policy: labels - ✅
  Resource: google_healthcare_workspace
    Policy: labels - ✅

@github-actions github-actions Bot added the CI-Approved PR approved by CI checks label May 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

CI-Approved PR approved by CI checks

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@abhay652